Hi Holger,
I'd try with the following ACLs:
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=example,dc=com" write
by users read
by * none
This way you'll be allowing unauthenticated users to log in using
their password fields and you'll restrict read access on the rest of
the base to authenticated users. The first ACL also allows users to
change their own passwords (write in the userPassword and
shadowLastChange attributes).
2010/9/29 Holger Schier <hschier@mathematik.uni-mainz.de>:
> Hey guys,
>
> I am working with the LSEE 11 and trying to run a LDAP server. From scratch
> on everything went fine. With the standard configuration I can login, but if
> I use the LDAP Browser and hit anonymous access, I can see my whole LDAP
> tree. User name, mailaddresses and so on. And I am not happy with it.
>
> So I tried to change the access control from
> access to * by * read
> to
> access to * by * auth
> or
> access to * by * search
>
> The user password is already in auth mode.
>
> But with every other configuration instead of read, I cannot login anymore.
> Insufficient access. After the first try with auth I read the log files and
> saw that there is a search operation. So i switched to search. Now the
> server denies some read operations.
>
> So, my questions are: Is it just normal that anyone can see the LDAP tree?
> Is there any other option to hide my tree? And what attributes have to be
> readable to login?
>
> Thanks a lot.
> Holger
>
--
Diego Lima
http://www.diegolima.org